[
https://issues.apache.org/jira/browse/MGPG-111?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17824936#comment-17824936
]
Elliotte Rusty Harold edited comment on MGPG-111 at 3/9/24 12:42 PM:
-
Interesting blog article. After reading it, I'm not surprised that
maven-dependency-analyzer doesn't pick up "dependency grouping". It's
essentially a hack that uses undeclared transitive dependencies instead of
declared direct dependencies,. I suppose you might make a case for that, but
it's the opposite of what maven-dependency-plugin: analyze is trying to check.
My personal opinion is that developers should bite the bullet and declare all
their direct dependencies and only direct dependencies. Use a BOM to set
versions of related projects, but not to add dependencies to the tree.
Anything else runs counter to the design of Maven and the Maven repository
system, and will cause more problems than it solves.The design of the Maven
repo system is far from perfect, but it's what we've got, and we can't hack
changes into it. Anything better would require a complete rethink of everything
beyond jar files and classpaths. It's the classic antipattern of someone
wishing the system were other than it is, and trying to pound the round peg
into a square hole by using a bigger hammer. Other examples of this antipattern
include "functional" programming in Java, various schemes to avoid declaring
and handling checked exceptions, and any number of faster XML parsers that
achieve speed by changing or subsetting the XML spec.
was (Author: elharo):
Interesting blog article. After reading it, I'm not surprised that
maven-dependency-analyzer doesn't pick up "dependency grouping". It's
essentially a hack that uses undeclared transitive dependencies instead of
declared direct dependencies,. I suppose you might make a case for that, but
it's the opposite of what maven-dependency-plugin: analyze is trying to check.
My personal opinion is that developers should bite the bullet and declare all
their direct dependencies and only direct dependencies. Use a BOM to set
versions of related projects, but not to add dependencies to the tree.
> Clean upn dependency declarations
> -
>
> Key: MGPG-111
> URL: https://issues.apache.org/jira/browse/MGPG-111
> Project: Maven GPG Plugin
> Issue Type: Dependency upgrade
>Reporter: Elliotte Rusty Harold
>Priority: Minor
>
> [WARNING] Used undeclared dependencies found:
> [WARNING]org.apache.maven:maven-artifact:jar:3.9.6:provided
> [WARNING]org.apache.maven:maven-settings:jar:3.9.6:provided
> [WARNING]com.kohlschutter.junixsocket:junixsocket-common:jar:2.9.0:compile
> [WARNING]org.apache.maven.resolver:maven-resolver-impl:jar:1.9.18:provided
> [WARNING] Unused declared dependencies found:
> [WARNING]com.kohlschutter.junixsocket:junixsocket-core:pom:2.9.0:compile
> [WARNING]org.codehaus.plexus:plexus-cipher:jar:2.0:compile
--
This message was sent by Atlassian Jira
(v8.20.10#820010)